How Should the U.S. Respond to a Russian Cyberattack?

Following the hacking of the Democratic National Committee in 2016, the United States had publicly expressed concern that it could imminently face additional cyber attacks. Public discourse has focused on Russia as a likely culprit, calling attention to its seemingly advanced military technology in Syria, President Putin’s prioritization of information warfare, and recent political interactions with the United States. Historical analysis of Russia’s strategic military choices suggests that the state would prioritize the United States’ information technology (IT) and communications critical infrastructure as key cyber targets. In reaction to such an attack, the United States would have to choose from a spectrum of military and intelligence counter-responses, ranging from lower-level alternatives, to those with high potential for escalation.

Political Landscape

Recent attribution reports by private cybersecurity firms CrowdStrike and Mandiant allege that Russia conducted the 2015-2016 hacks on the Democratic National Committee (DNC).[i] In defense of admittedly weak international cyber norms, the United States argues that Russia has violated what all responsible nations would consider acceptable state behavior.[ii] In the absence of an immediate response to these violations, and the lengthy attribution process, it can be conceivably argued that the American population has become complacent, especially considering additionally minimal military responses to other publicized cyber intrusions (i.e., Sony Pictures, and the Office of Personnel Management), and the commonplace assertion that “the hacker always gets through” and defenses are limited.[iii] Admiral Michael S. Rogers, Director of the National Security Agency (NSA) and U.S. Cyber Command, believes that this complacency will only vanish if a cyberattack on U.S. soil achieves large-scale destruction.[iv]

Russian Strategy and Capabilities

The U.S. Intelligence Community’s 2015Worldwide Threat Assessment highlighted China and Russia as the “‘most sophisticated nation-state actors’ in the new generation of cyberwarfare” and noted that Russian hackers are notably erudite, with impressive programming power and inventiveness.[v] Publicly, and with the exception of the U.S. Stuxnet incident, Russia is the only state that has successfully augmented cyberwarfare with conventional warfare, evidenced when Russian hackers manipulated blast furnace control systems in a German steel mill in 2014, conducted cyber-to-conventional operations against Georgia in 2008, and interfered with a French television network, the Polish stock market, and the U.S. State Department.[vi] This intent and capability to supplement cyber intrusions with conventional consequences demonstrates the unique and serious character of the Russian cyber threat.

Russia’s political elite has prioritized these capabilities. The Henry Jackson Society, a global think tank, wrote in 2016 that, “as far as the Kremlin is concerned, geeks and hackers now rank alongside soldiers and spies as weapons of the state”.[vii] Russian military and academic elites have published a plethora of documents over the past decade describing the state’s desires to modernize its information warfare defenses and capabilities, as well as its strategy of utilizing cyber means to disrupt its enemy’s weapons, decision-makers, and the minds of average citizens.[viii] The information-psychological aspects of information warfare have an integral role within the strategies of these documents, demonstrating the possibility that Russia could contextualize an attack within a greater emergency context, in the hopes of causing disorganization within the American citizenry, resulting in panic or loss of life.[ix] These leaked policies, along with Russia’s history of attacks, demonstrate clearly significant cyber capabilities, and willingness to target critical industries.

Strategically, Russia has an incentive to employ its cyber arsenal to further its broader political aims. A 2015 NATO report applauded Russia’s unique ability to foresee the broader impact of technology on the battle space, and the military advantage of using cyber attacks to “intensify the fog of war”.[x] Russia is not likely to target something without an end goal; rather, the state would aim to confuse the United States just enough to force them to begin and escalate a low-level, minimal-stakes cyber conflict. This strategy of prepping the battlefield is consistent with Russia’s strategy during the Cold War, when operatives constructed maps of U.S. cities for future exploitation. Within the scope of cyber, this strategy would translate to Russian intelligence operations conducted against the United States, with the goal of acquiring information related to Russian activities in Ukraine and Syria, U.S. military operations, and to generally “prepare the cyber environment for contingencies”, or later opportunities to abuse the intrusions.[xi]

In order to achieve this strategic preparation, Russia could choose from an array of cyber tools, possessed by two prominent hacker groups, APT29 and APT28. According to NATO, APT29 (reportedly supported directly by the government) has successfully spear-phished information related to Russia geopolitical interests, while APT28 has historically targeted European states.[xii] As well, analyzing older case studies of Russian cyber attacks clarifies both their toolkits and strategic variance. Back in 2008, Russia was able to manipulate its IP addresses with Agent BTZ to penetrate U.S. military networks, and throughout 2013-2014, used highly complex malware to penetrate Ukraine.[xiii] In 2014, researchers discovered that this malware, called Sandworm, had used zero-day exploits (largely in email attachments) to infect energy and telecommunications firms, as well as government targets. [xiv]

Russian Cyberattack on the United States

Russia’s past strategic choices, in and out of cyber, demonstrate an unwillingness to commit an act that could trigger a full-scale, potentially nuclear war. The country’s focus on battlefield preparation and intelligence gathering suggests that strategies would work to take advantage of U.S. complacency via the preponderance of smaller-scale cyber attacks, and would conduct an attack unlikely to trigger a full-scale military response. As well, by choosing an industry with consequences limited to the U.S., Russia could avoid damaging its alliances or inciting other states to join forces against Russia militarily, politically, or economically. According to this analysis, Russia would choose not to conduct a cyber attack on the majority of the United States’ critical infrastructure sectors, for fear of over-escalation.[xv] Attacks on the defense, nuclear, and chemical sectors could be immediately considered acts of war, while attacks on the financial, food and agricultural, or critical manufacturing sectors would be likely to enrage global states dependent on the U.S. for economic stability. Thus, with these historical strategic choices and toolkits in mind, if Russia were to conduct a cyber-to-conventional attack against the United States, one can argue that they would choose to target either the communications or IT critical infrastructure sectors.

A Russian attack on these sectors could take several forms. In several scenarios, Russia could use any of the following tools to cause serious damage to U.S. operations:

Social engineering [taking advantage of human vulnerabilities to dismantle cybersecurity]

Targeted Zero-Days [the early acquisition, via purchase or discovery, of knowledge regarding system vulnerabilities, and the ability to act early on those vulnerabilities]

Exploits [Identifying vulnerabilities, and using tools to break into systems and alter, steal, or block data]. [xvi]

In the past, Russian cyber operations against the United States manifested largely as simple procedures, requiring little financial and operational support. Throughout 2014 and 2015, Russia employed more complex strategies against government computers, including “disguising the electronic ‘command and control’ messages that set off alarms for anyone looking for malicious actions.”[xvii] This precedent for attacking alert systems demonstrates that even robust U.S. monitoring systems could have trouble catching Russian intrusions within the necessary window to stop or identify the hack. “If the adversaries know you are aware of their presence, they will take steps to burrow in, or erase the logs that show they were present”, said Michael Sussman of Perkins Coie law firm, detailing the DNC’s lack of response to suspicions of unauthorized access in its systems. [xviii]

If one assumes that the Russian strategy of doxing, or broadcasting stolen intelligence, was meant to disrupt U.S. politics and intensify the fog of war, then the Russians achieved their goal, and would be likely to repeat this tactic against government executives within the communications and IT industries.

Of a more significant nature, Russia could graduate from doxing and focus on tactics with more immediate conventional consequences. By targeting central systems within the IT and communications industries, using DDoS attacks or stealing information that could cripple internal proceedings, Russia could disrupt service for thousands of phone customers or sever the Internet for millions of consumers. They could also shut down government IT operations during wartime, or disrupt national emergency alert services, including 911 networks or emergency broadcast stations, during a national disaster. The latter scenarios could cause immense economic and military harm to the United States and even result in loss of life and safety.

There are an overwhelming number of vulnerabilities within these systems, including their interdependencies with other sectors. The communications sector is inextricably linked with the energy, IT, banking and finance, postal and shipping, and emergency services sectors, while the IT sectors provides control systems, technology and Internet infrastructure, and operating systems for all major military and civilian networks.[xix] While this private sector involvement, and its corresponding large defense budget, presents certain strengths, these systems present additional vulnerabilities to Russian cyber actors, as a majority of their operations lack government oversight.

While the military faces consistent conventional threats, the United States can at least determine and control the budget that the military commits towards protecting the physical targets under its purview. However, a huge number of nodes within the United States’ critical communications systems are managed by private companies, such as FOX and PBS, which have private-sector driven priorities such as bottom lines, and could not ostensibly perform seamless defensive cybersecurity collaborations with the government. This lack of centralization is a clear challenge for national defense.[xx] Although these companies certainly have incentives to implement sufficient security features, they are inherently for-profit organizations. The National Telecommunication and Information Administration (NTIA) cautioned in 2013 that these infrastructure operators “would invest in cybersecurity to a level that is justifiable according to their own business plans – this is a unique warfare threat – we have private companies responsible for determining budgets for issues of national security”.[xxi]

However, notwithstanding profit-based priorities, private companies also have a significantly larger cybersecurity arsenal than the government. Over five years, the private sector doubled its spending on cybersecurity from $40 billion to $80 billion, while the Department of Homeland Security, specifically tasked with defending the U.S. homeland on the ground and in cyberspace, received a mere $59 billion in 2012 for all of its programs.[xxii] However, the NTIA has argued that even this large private sector budget cannot account for and prevent “remote cyber threats”, which inherently make up the majority of attacks.[xxiii] Cyber attacks are much harder to anticipate or prepare for than conventional attacks, and it is never immediately clear what caliber defense will be required to slow said attack, or trace the attack back to its origins for future countermeasures.

U.S. Defense Capabilities

Although the United States did not announce a comprehensive, national cybersecurity plan until recently, in response to the mandate of Presidential Policy Directive 21, CI Security and Resilience, in 2013 the United States published the National Infrastructural Protection Plan, which included defense strategies and implementations for each critical infrastructure sector.[xxiv] The plan assessed sector-specific vulnerabilities and risk profiles, likely targets, and methods of addressing those vulnerabilities.[xxv]

These methods include several priorities for passive and active protections. Under the plan, the government must perform continuous monitoring and diagnoses of all CI cyber systems, and conduct immediate information sharing during and after all cyber incidents. Sectors must also back up essential information on remote servers disconnected from the Internet, to ensure redundancy in the case of attack. Over time, key operational functions must also be removed from Internet-connected networks, to ensure that any incidents can be sufficiently contained from public consequences.[xxvi]

Defense Scope of Communications and IT Sectors

The communications sector represents a large host of attack vulnerabilities. In 2014, Information and Communications Technology (ICT) accounted for 3.5 million jobs, and $1 trillion of the U.S. GDP (7 percent of the economy).[xxvii] This cyber infrastructure includes access networks, and thousands of cable systems, satellites, and wireless networks. Russia could specifically capitalize on these opportunities by targeting private-sector-managed gaps within the industry’s supply chains, including:

Power and data sources [Physical infrastructures such as data centers provide energy and information to networks that serve millions of consumers].

Diesel fuel centers for generators [These fuel centers keep generators alive, and allow for systems to transport data between different areas of the network].

Fuel transportation [Roads and trucks are required to transport physical infrastructure crucial to maintaining IT and communications networks open, and are thus vulnerable as physical, isolated, and moving targets].

Technological products [Communications and IT networks depend on physical pieces of technology to move and retain information between computers and other devices, such as routers, as well as software that automates crucial government processes].

The IT sector, while similar to the scope of the communications sector, includes newer “trends” in vulnerabilities that are open to attack, including an increasing reliance on the Internet of Things (IoT), cloud computing, and mobile computing. [xxviii] Likely targets for a cyber attack within this sector could include:

In recognition of these vulnerabilities, and the disastrous consequences that could result from an attack on each critical node, the government conducts continuous aggressive active defenses on behalf of each of these sectors, and continuously looks for intrusions, suspicious activity, or alterations in content. These active defenses include information sharing, technical tools that slow hackers at the perimeter (tarpits and honeypots), denial and deception (providing false information in front of legitimate information), beacons (software hidden in files that sends an alert in response to unauthorized access), hunting (rapidly enacted technical measures that evict adversaries already present in a network), intelligence gathering in the Deep Web and Dark Net (continuous and covert human intelligence to identify likely adversaries and toolkits), and White-hat ransomware (legal malware utilized by public-private partners to obtain stolen information and return it to proper owners).[xxx]

Government Organization to a Cyber Attack

In 2016, under the mandate of Presidential Policy Directive (PPD) 41 – United States Cyber Incident Coordination, the White House released the definition of a significant cyber attack as something “likely to result in demonstrable harm to national security interests, foreign relations, the domestic and global economy, public confidence, civil liberties, or public health and the safety of the American people”.[xxxi] A Russian cyber attack on communications or IT critical infrastructure, particularly in the context of a national emergency or special circumstances, could fall under this classification.

In the event of such an attack, the United States would draw together the National Cyber Response Group, which would lead the defensive response in support of the National Security Council.[xxxii] The Secretary of Defense and the directors of the Intelligence Community agencies would manage incoming cyber threats, and any movement that would more reasonably require an active military response. Were the telecommunications nodes of the National Security and Emergency Preparedness sector to fail, the National Coordinating Center for Communications (NCC) would be responsible for restoring those capabilities.[xxxiii] Additionally, as part of the mandate of PPD-41, if an operation with clear attribution were to occur, the Cyber Response Group would then call upon a cadre of qualified and trained cyber personnel to mitigate and respond to the cyber incident. Theoretically, these participants would have been training together in war games and practice sessions prior to the Russian intrusion.

U.S. Strategic Responses

Upon mitigating the immediate effects of a significant cyber incident, the United States would consider its preponderance of strategic and tactical responses to direct towards Russia. As a minimal alternative, the United States could choose to respond by non-military means, including indictment, diplomacy, or sanctions.[xxxiv] As a lower-level military and intelligence strategy, the United States could then choose to respond with counter-surveillance intelligence operations, a non-attributable cyber or conventional attack, or an attributable cyber or conventional attack.[xxxv] These operations could target Russia’s military, civilian, or critical infrastructure systems. In acknowledgement of NATO’s classification of cyberspace as the fifth operational domain, it is likely that if the United States attributed a significant cyber incident on its soil to Russia, it would respond in an aggressive cyber manner. Although it is also possible that the United States would respond with purely conventional military operations, the potential escalation of this suggests that the United States would prefer to solely employ cyber operations in its response.

Low-Level Attributable Cyber Intrusion

The United States could respond with a low-level cyber intrusion, falling across a spectrum of cyber incidents that could not be classified as a major attack. This intrusion could appear from what has been dubbed “loud cyber weapons”, or tools that can definitively be traced back to the U.S military.[xxxvi] The military would send these weapons, embedded with encrypted codes, into Russian networks. The United States would then publicly provide the encryption key, to claim responsibility. This intention of causing attributable damage represents a key paradigm shift in U.S military strategy, one in which the attribution is a key aspect of a successful operation, and the publication of the attribution is vital for deterrent strategy.

The United States could also conduct simpler cyber intrusions against Russia’s network, including defacements of government websites, disruptions of Internet services, interferences and disablements of communications, or the dissemination of propaganda.[xxxvii] Following the hack of the DNC, senior government officials discussed options for counter-cyberattacks on the Russian Federal Security Service (FSB) and the Main Intelligence Agency (GRU), including the utilization of the NSA’s TreasureMap tool, which tracks all global connections to the Internet, and could be used to place malware in targeted Russian computer systems for intelligence gathering and future cyber-assaults.[xxxviii],[xxxix]

Medium-Level Cyber Attack – No Immediate Casualties

Using logic bombs, the United States could also conduct a cyber operation against military and non-military targets. By sending in these logic bombs to self-destruct within Russia’s critical infrastructure, the U.S. could cause serious economic and operational damage.[xl] It is likely these logic bombs are fairly well-developed; back in 2014, U.S. Cyber Command offered a $460 million contract to develop a “computer code capable of killing adversaries”.[xli]

High-Level Cyber Attack – Possible Casualties

By using logic bombs or other cyber intrusion methods, the United States could attack Russian critical infrastructure in a more serious manner, with a larger potential for loss of human life or safety. These attacks could include hacking into a dam located above a populated area or disabling air traffic control services. These options, particularly if they are easily attributable, have the potential to escalate quickly.

Military-Level Cyber Attack – Escalatory

The United States could use similar cyber operations to directly attack Russian military targets, which include shutting off the power at a nuclear facility or an airfield, causing serious casualties and triggering a notable escalatory threshold. Of note, many Russian industrial networks run on Windows XP, or equitable older systems, while remaining connected to the Internet. Not only are these systems extremely vulnerable to attack, but the United States has already demonstrated its ability to break into these systems. In November 2016, the United States reportedly penetrated Russian military systems and left behind malware, to be activated in the case of Russian interference of U.S. elections.[xlii] This demonstrated both confidence in the success of the malware implant, and political willingness to trigger a consequential conflict.[xliii]

Strategic Considerations for U.S. Decision

In response to a Russian cyber attack, the United State’s strategic responses would stem from its classification of the response as non-significant, significant, or an act of war. Testifying in July 2016 before the House Subcommittee on Information Technology and National Security, State Department Cyber Coordinator Chris Painter said the United States would respond to incidents on a case-by-case basis; adding that “’it could be through cyber means. It could be through diplomacy. It could be through indictments and law enforcement actions.’”[xliv]

Some of these responses would require a declaration that a threshold of war had been crossed, and accompany regulatory support for more aggressive action. This declaration would depend on actual and anticipated effects of any cyber incident, including injury, damage, and death. [xlv] Painter testified that, “cyber activities may in certain circumstances constitute an armed attack that triggers our inherent right to self-defense as recognized by Article 51 of the U.N. Charter.”[xlvi] The United States could also justifiably accuse a cyber-attack of infringing upon its territorial integrity or political independence, per Article 2(4) of the Charter.

Recent political precedents suggest that the United States would be hesitant to invoke Article 51, even if a Russian cyber attack resulted in nominal deaths, injury, or damage. Instead, it would limit its declarations and label the attack a ‘significant cyber incident’, invoking the full support of the U.S. military while avoiding over-escalation. As well, even though NATO justified military responses within cyberspace, the lack of precedent or norms mean that the United States would actually have more creative license in responding to Russia if it were to use cyber means, that could or could not result in conventional consequences.

With this in mind, the United States would have to choose between a hidden or obvious counter-cyberattack. The above tactical considerations demonstrated that a hidden, non-attributable cyber attack would not fall within the Department of Defense’s deterrence strategy, and would thus be discarded as a strategic option. Following North Korea’s reported hack into Sony Pictures in 2014, the United States did not publicly respond with a cyber operation, and it was “unclear how the United States may have retaliated against the North in secret, if it even did so.”[xlvii] This, along with public and mild economic sanctions, was deemed incredibly ineffective.

This would leave the United States with the opportunity to perform an immediately observable cyber attack (using a “loud cyber weapon”) or a preparatory attack (such as a logic bomb), and could either target a Russian military or civilian infrastructure.[xlviii] Similarly to Russia’s temperament, the United States would also likely avoid directly targeting a military structure, to avoid escalation and a possible world war. Thus, the United States would most likely choose to deploy a cyber weapon against critical Russian infrastructure, resulting in conventional consequences. Even considered a medium-level choice in terms of escalatory possibilities, this strategic decision would have to take into account the global ramifications of an attributable cyber-to-conventional attack. General Keith Alexander testified before Congress in 2016 that attribution and response via offensive cyber capabilities must only occur if the actor is prepared to use them immediately.[xlix]

Strategic Ramifications of Russian Cyberattack and U.S. Counter-Attack

Although the above outlines the need for a U.S. counter-cyber attack, such a response would have drastic normative implications. Even though President Obama said in September 2016 that, “we’re moving into an era here where a number of countries have significant capacities. And frankly, we’ve got more capacity than anybody, both offensively and defensively”, his administration also fears initiating a digital arms race. Strategically, “our goal is not to suddenly in the cyber arena duplicate a cycle of escalation that we saw when it comes to other, you know arms races in the past, but rather to start instituting some norms so that everybody’s acting responsibly.”[l]

This is not to say that the Russian attack on the U.S. Electoral System, nor any potential attack on critical infrastructure, would be the first time the United States had to worry about cyber intrusions into its government systems. Even back in 1984, President Ronald Reagan saw the potential for intrusions, and signed the first Presidential Directive on computer security. The United States knew that someday, foreign entities could hack into U.S. military systems because they were already hacking into foreign systems themselves.[li] As of 2016, more than twenty countries have offensive and defensive cyber units in their militaries, including Iran, Syria, and North Korea. The United States has been conducting counter-surveillance, intelligence, and intrusive operations against these adversaries for decades.

However, until now, the effects of these seemingly continuous and constant cyber battles have been limited. While militaries have registered each other’s intrusions and responded, and corporate entities have registered ongoing hacks into their systems, there has yet to be a big, public, conventional result from a cyber operation. Thus, even if Russia were to blatantly and publicly cross the normative threshold that most militaries hold themselves accountable to, the United States would be cautious about an overly zealous response, for fear of escalation.

Still, fear of escalation should not preclude U.S. response, particularly if the significant Russian attack is, in fact, significantly harmful. Although a cyberattack on U.S. infrastructure would fall under the purview of national defense, it is important to consider the economic and political consequences of such an attack, regardless of the U.S. response or any future escalation.

These attacks are costly. According to RAND, first party losses, or those incurred as a direct result of the incident (investigations, customer support, notification), and third party losses (lost revenue and market valuation) as a result of cyber incidents cost the world more than $8.5 billion annually.[lii] Between 2004 and 2015, the study found that the U.S. government faced roughly 1,300 cyber incidents.[liii]

However, the more pressing costs are those relating to deterrence. Long-term, a less reputable U.S. defense system and a lack of confidence in U.S. digital infrastructure can be damaging both economically and politically, and invite further attacks from state and non-state actors. These costs are near impossible to quantify, which makes decision-making and prioritization more difficult.

The question of confidence in the United States expands. Although cyberattacks are increasingly considered common, and businesses register thousands of penetrations each year, the world has yet to see a cyber-to-conventional attack that would trigger a significant response. Thus, as a justifiable leader in the international norms sphere, the United States would have to consider the strategic implications of setting that sort of norm.

About the Author

Nicole Softness is a graduate student at Columbia University’s School of International and Public Affairs, studying International Security & Cyber Policy. Her research focuses on the intersection of counterterrorism and social media, succeeding an undergraduate thesis on al Qaeda’s messaging strategies. She is currently the Research Assistant for Columbia’s Initiative on the Future of Cyber Risk.

[xxv] United States. U.S. Department of Homeland Security. DHS.gov. United States Government, 2013. Web. <https://www.dhs.gov/sites/default/files/publications/National-Infrastructure-Protection-Plan-2013-508.pdf>.

[xxxvii] United States. U.S. Department of Defense. Office of General Counsel. Department of Defense Law of War Manual – June 2015. United States Government, June 2015. Web. 12 Dec. 2016. <http://archive.defense.gov/pubs/law-of-war-manual-june-2015.pdf>.

[xxxix] Sanger, David E. “U.S. Wrestles With How to Fight Back Against Cyberattacks.” Nytimes.com. The New York Times, 31 July 2016. Web. 12 Dec. 2016. <http://www.nytimes.com/2016/07/31/us/politics/us-wrestles-with-how-to-fight-back-against-cyberattacks.html>.

[xlvi] United States. Cong. House. House of Representatives Committee on Oversight and Government Reform Subcommittees on Information Technology and National Security. Hearing on “Digital Acts of War: Evolving the Cybersecurity Conversation”. H. Bill. Testimony of Christopher M. E. Painter, Coordinator for Cyber Issues U.S. Department of State, 13 July 2016. Web. 12 Dec. 2016. <https://oversight.house.gov/wp-content/uploads/2016/07/Painter-Statement-Digital-Acts-of-War-7-13.pdf>

[xlvii] Sanger, David E. “U.S. Wrestles With How to Fight Back Against Cyberattacks.” Nytimes.com. The New York Times, 31 July 2016. Web. 12 Dec. 2016. <http://www.nytimes.com/2016/07/31/us/politics/us-wrestles-with-how-to-fight-back-against-cyberattacks.html>.